The future of SOX as it turns 20

Our work environment has changed in the last two years which possibly leads to changes in the ICOFR (Internal control over financial reporting) for companies. It is difficult to highlight one particular topic because in addition to the pandemic-induced consequences of the last two years, like home office, raw material shortages and missing physical inventory procedures, ICOFR has also been significantly affected by hot topics like automation and ESG. Just to mention one example, companies have had to re-evaluate the fraud risk posed by working from home. Furthermore, an even greater focus has been put on increasing workflow and automation efforts as a result of economic pressure, a “new normal”. Consequently, digitalization of controls and process steps to reduce human involvement have never been more important.

Moreover, the energy crisis and supply chain challenges triggered by the current situation in Ukraine put higher pressures than ever on efficiency and cost savings of companies, and uncertainty defines the business environment. It can be argued that technological progress will be the main success factor in terms of efficient and effective ICOFR. So, investing in greater automation and the use of data analytics could clearly help to reduce costs and would eventually lead to huge financial savings in the long term. If the resources are used wisely, automation of ICOFR can lead to a reduction in vulnerabilities and bring about substantial monetary reward.

Data analytics is also playing an increasingly important role on the external auditor side. Similar tools and programs, like those used by external auditors to make audits more efficient and effective, can also be used by companies at the implementation stage, so as to match the depth of the external auditor's analysis and to keep pace technologically. We think that the advantages of automation outweigh the disadvantages; increased automation naturally leads to continuous monitoring of cyber risks, which are considered major ICOFR risk factors. 

In our experience, though, the greatest challenge here, from an internal controls perspective, is communication between the company's data security department and appropriate personnel. It is often the case that breaches and weaknesses are identified but are not shared appropriately within an organization. The networking and integration of data security officers into the ICOFR world is, therefore, incredibly important. Moreover, it is vital to understand the connection between automation, expert personnel and external auditors. There is virtually no external audit team that can perform an audit without the support of IT specialists. Greater automation will also help reducing audit costs overall, as a test of one will usually suffice as a sample size.

According to the latest Securities and Exchange Commission (SEC) announcement of March 21, 2022 proposing rules on climate-related disclosure, it has become clear that the ESG megatrend must finally be taken into account with regards to SOX trends. Since the SEC's founding principle is to present investment risk as fully and fairly as possible to shareholders and investors, it is only logical that reporting should now also focus on clear climate-related risk guidelines. As a result of companies making countless different disclosures on climate-related risks without any clear rules to follow, it has been near impossible for shareholders and investors to comprehend and compare information. The SEC believes that additional disclosure requirements are necessary to improve the consistency, comparability and reliability of climate-related disclosures.

What we can expect is that SOXifcation of ESG will be at least as exciting as the introduction of SOX 20 years ago. During the two decades since then, companies have learned that it is more difficult to implement ICOFR controls the further you move away from accounting functions. This is especially true with regard to ESG, which will be even more of a challenge, as the relevant functions are barely familiar with control concepts and less experienced with external auditors. Since the SEC plans to make it a mandatory requirement, robust systems and processes are vital. 

A combination of different data-driven techniques can increase efficiency and also reduce the cost of your SOX program. They can do so without compromising quality and with a high level of assurance, if you, for example:

1. Support your risk assessment process
2. Conduct a more efficient analysis of the processes, risks and controls
3. Support your testing process

In the future, regardless of whether the same strict SOX requirements are in place for ESG as there are for financial reporting, the ongoing paradigm shift will not leave the SOX program unaffected. In order to meet investor and stakeholder requirements, the amount of data that companies have to deal with will continue to increase.